Vendure - XSS via SVG File Upload
CVE-2022-23065

5.4MEDIUM

Key Information:

Vendor: Vendure-ecommerce
Status: Vendure
Vendor: CVE Published:; 2 May 2022

🔔 Create Vendure-ecommerce Vulnerability Alert

What is CVE-2022-23065?

In Vendure versions 0.1.0-alpha.2 to 1.5.1 are affected by Stored XSS vulnerability, where an attacker having catalog permission can upload a SVG file that contains malicious JavaScript into the “Assets” tab. The uploaded file will affect administrators as well as regular users.

Affected Version(s)

vendure 0.1.0-alpha.2

vendure <= 1.5.1

References

https://github.com/vendure-ecommerce/vendure/commit/69a44...

x_refsource_MISC

https://www.whitesourcesoftware.com/vulnerability-databas...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2022
Vulnerability Reserved
Jan 10, 2022

Credit

WhiteSource Vulnerability Research Team (WVR)